Non-financial Risk Management in the Financial Industry

Reputational risk refers to the potential for negative publicity, public perception or uncontrollable events to have an adverse impact on a company’s reputation, thereby affecting its revenue and market position. In Europe, the EBA defines reputational risk as “the current or prospective risk to the institution’s earnings, own funds or liquidity arising from damage to the institution’s reputation.” [108]

In its guidance on managing outsourcing risk, the FED defines reputational risk as arising when “actions or poor performance of a service provider causes the public to form a negative opinion about a financial institution.” [109]The FDIC defines reputational risk in its guidelines for managing third-party risk as

“the risk arising from negative public opinion. Third-party relationships that result in dissatisfied customers, interactions not consistent with institution policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information, and violations of law and regulation are all examples that could harm the reputation and standing of the financial institution in the community it serves. Also, any negative publicity involving the third party, whether or not the publicity is related to the institution’s use of the third party, could result in reputation risk.” [110]

Sustainability risk refers to the uncertainty in being able to sustain the growth of a given system (a corporation, household, community or economy) because certain practices may have negative externalities which result in the dilapidation of value chain of the system over a period of time or impact other related systems. Specifically, sustainability risk also includes the risk from ESG topics impacting on a company’s strategy and direction.

The EBA defines ESG risks as “the risks of any negative financial impact on the institution stemming from the current or prospective impacts of ESG factors on its counterparties or invested assets.” [111]For more details, we refer to chapter 15.

Regulators have published guidelines and frameworks regarding the management of ESG risks, with a strong focus on climate and environmental risk. The ECB published a comprehensive guide on climate-related and environmental risks in 2020. This guide includes a definition of climate and environmental risks as being commonly understood to comprise two main risk drivers [112]:

physical risk refers to the financial impact of a changing climate, including more frequent extreme weather events and gradual changes in climate, as well as of environmental degradation, such as air, water and land pollution, water stress, biodiversity loss and deforestation;

transition risk refers to an institution’s financial loss that can result, directly or indirectly, from the process of adjustment towards a lower-carbon and more environmentally sustainable economy.

In 2021, the EBA published its report on management and supervision of ESG risks for credit institutions and investment firms. This report provides a comprehensive proposal on how ESG factors and ESG risks should be included in the regulatory and supervisory framework for credit institutions and investment firms. [113]In the UK, the PRA has published a supervisory statement on the management of financial risks from climate change by banks and insurers, with the definitions stated being similar to the EBA definition. [114]The OSFI in Canada also uses a definition of climate change risk that is similar to the EBA definition. [115]In Asia-Pacific, the MAS has issued guidelines on environmental risk management for banks. [116]For this book, we use the ECB definition of climate change risk.

Human rights risks refer to the potential adverse impacts that a company can have on the enjoyment of human rights. [117]For financial institutions, we define human rights risk as the risk of losses to the financial institution from violation of human rights, either by the financial institution itself or by its customers .

The United Nations Environment Programme (UNEP) Finance Initiative has published a guidance tool to assist financial institutions identifying potential human rights risks arising from the activities of corporate customers/clients. [118]These risks depend on a company’s business activities, products and services, its countries of operation, business relationships and the appropriateness of its existing prevention and mitigating measures.

Generally, business risk can be viewed as a threat to the company’s ability to achieve its financial goals. [119]Based on this, we define business risk as the risk that a failed or flawed business decision, or the lack thereof, poses to the financial situation of a company . This risk is strongly related to the strategic direction and business strategy of the company. Risk events from business risk can imply the loss of market share or even the obsolescence of parts of the business due to changes in the competitive environment, for example from substitute products or technological advancement.

Forecasting risk is the possibility that errors in projected data (e.g. cash flows) or forecasting models (e.g. on market growth, price and cost developments, attractivity of certain products and services to customers) will lead to incorrect business decisions and corresponding losses.

Inorganic growth risk describes the risk involved in inorganic growth arising from mergers or takeovers rather than an increase in the company’s own business activity. This includes the risks connected to the due diligence process and the post-merger integration.

This describes the risk of losses resulting from expanding the business activities into new products, markets, distribution channels or customer groups.

This includes any risk resulting from insufficient or wrong communication between the company and its shareholders/investors, which can lead to financing struggles or a share price decline.

Non-financial risk has been gaining significant importance over the recent years as incidents such as the financial crisis of 2008 and recent money laundering scandals have shown that organisations not only need to keep their financial risks but also their non-financial risks in mind. Given that there is no general definition of non-financial risk and that regulators of different jurisdictions have not yet developed a common view, financial institutions need to develop their own non-financial risk taxonomies based on their business models and risk appetites.

Generally, non-financial risk is divided into two main categories: operational and strategic risks. The former contains operational risks, i.e. risks related to banking operations, while the latter contains those risks that we view as strategic risks, which makes them part of non-financial risk but separate from operation-related risks. This approach combines the specification of operational risks according to the BCBS definition, considering that the risks falling under strategic risks are also non-financial risks. Historically, we have seen that the non-financial risk taxonomy constantly evolves parallel to emergent risk topics, e.g. cybercrime and resilience risk due to access to new technologies. It will be interesting to see which currently unknown risk topics will surface in the future. Therefore, all the better if organisations are already well-positioned concerning the known risk topics.